R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 2, 2014

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - US Justice Dept. focuses new squad on cybercrime combat - The threat and consequences of cybersecurity attacks today lead the US Department of Justice to reorganize in an effort to better battle the scourge. http://www.networkworld.com/article/2836310/security0/us-justice-dept-focuses-new-squad-on-cybercrime-combat.html

FYI - APPLE support doc CONFIRMS 'ORGANIZED NETWORK ATTACKS' - China govt: It wasn't us, honest - Apple is warning its iCloud users over heightened spying risks following the discovery of attacks which security watchers have claimed are down to crude snooping by the Chinese government. http://www.theregister.co.uk/2014/10/22/apple_icloud_snooping_china/

FYI - Feds urge early cooperation in malware investigations - The financial services industry has garnered a reputation among cybersecurity professionals for being among the more resilient sectors in the face of cyberattacks. http://fcw.com/articles/2014/10/20/cyber-resiliency-from-cooperation.aspx

FYI - FCC fines telecom companies $10 million - The Federal Communications Commission (FCC) fined two jointly owned American telecom companies, TerraCom, Inc. and YourTel America, Inc., $10 million this past week after they failed to properly protect users' personal information. http://www.scmagazine.com/terrcom-inc-and-yourtel-fined-10-million/article/379551/

FYI - Banks Demand That Law Firms Harden Cyberattack Defenses - Background Checks, System Audits Are Used to Close Potential Back-Door Breaches - Big banks are demanding that their law firms do more to protect sensitive information to ensure that they don’t become back doors for hackers. http://online.wsj.com/articles/banks-demand-that-law-firms-harden-cyberattack-defenses-1414354709

FYI - Operators disable firewall features to increase network performance, survey finds - In a recent survey of 504 IT professionals, McAfee found that 60 percent prioritize security as the primary driver of network design – something the company did not find too surprising considering recent high-profile breaches. http://www.scmagazine.com/operators-disable-firewall-features-to-increase-network-performance-survey-finds/article/380341/


FYI - Malware on Breyer Horses website for about 18 months, payment card data at risk - An undisclosed number of people who made purchases on the Breyer Horses website between March 31, 2013 and Oct. 6 are being notified that their personal information – including payment card data – may have been compromised by malware that was installed on the computer server hosting the website. http://www.scmagazine.com/breyer-horses-website-compromised-payment-cards-at-risk/article/379137/

FYI - Fidelity National Financial employees targeted in phishing attack - Fidelity National Financial is notifying an undisclosed number of individuals that their personal information – including Social Security numbers, bank account numbers and payment card numbers – may have been accessible after a small number of employees had their email accounts compromised in a targeted phishing attack. http://www.scmagazine.com/fidelity-national-financial-employees-targeted-in-phishing-attack/article/379527/

FYI - Unencrypted discs missing, Arizona State Retirement System notifies 44,000 - The Arizona State Retirement System (ASRS) is notifying nearly 44,000 individuals enrolled in ASRS dental plans that two unencrypted discs containing their personal information – including Social Security numbers – were sent to a benefits company in Missouri, but were not received. http://www.scmagazine.com/unencrypted-discs-missing-arizona-state-retirement-system-notifies-44000/article/379649/

FYI - California data breach report reveals spike in incidents - A new report by California Attorney General Kamala Harris analyzes the damage that data breaches have taken on the state's residents and indicates an uptick in incidents. http://www.scmagazine.com/california-data-breach-report-reveals-spike-in-incidents/article/379897/

FYI - Arkansas State University-Beebe is investigating a potential breach - Arkansas State University-Beebe (ASU-Beebe) is notifying students and employees of a service running on one of its servers – which contained personal information – that could pose a potential breach to the system. http://www.scmagazine.com/arkansas-state-university-beebe-is-investigating-a-potential-breach/article/379924/

FYI - Hackers grab email addresses of CurrentC pilot participants - Just as the merchants supporting CurrentC had began to take clear steps to shut out recently unveiled rival Apple Pay, hackers stole email addresses from the mobile payment app, leaving some to speculate that consumer confidence will drop and Apple could gain an advantage. http://www.scmagazine.com/currentc-targeted-by-unauthorized-third-parties/article/380342/

FYI - About 60K transactions possibly affected in Cape May-Lewes Ferry breach - The security of card processing systems relating to food, beverage and retail sales at the Cape May-Lewes Ferry was compromised and data from certain credit and debit cards used from Sept. 20, 2013 to Aug. 7 may be at risk. http://www.scmagazine.com/about-60k-transactions-possibly-affected-in-cape-may-lewes-ferry-breach/article/380206/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 7: Banks should take appropriate measures to preserve the confidentiality of key e-banking information. Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases.

 Confidentiality is the assurance that key information remains private to the bank and is not viewed or used by those unauthorized to do so. Misuse or unauthorized disclosure of data exposes a bank to both reputation and legal risk. The advent of e-banking presents additional security challenges for banks because it increases the exposure that information transmitted over the public network or stored in databases may be accessible by unauthorized or inappropriate parties or used in ways the customer providing the information did not intend. Additionally, increased use of service providers may expose key bank data to other parties.
 To meet these challenges concerning the preservation of confidentiality of key e-banking information, banks need to ensure that:
 1)  All confidential bank data and records are only accessible by duly authorized and authenticated individuals, agents or systems.
 2)  All confidential bank data are maintained in a secure manner and protected from unauthorized viewing or modification during transmission over public, private or internal networks.
 3)  The bank's standards and controls for data use and protection must be met when third parties have access to the data through outsourcing relationships.
 4)  All access to restricted data is logged and appropriate efforts are made to ensure that access logs are resistant to tampering.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  
 Financial institutions should take reasonable steps to ensure that sufficient data is collected from secure log files to identify and respond to security incidents and to monitor and enforce policy compliance. Appropriate logging controls ensure that security personnel can review and analyze log data to identify unauthorized access attempts and security violations, provide support for personnel actions, and aid in reconstructing compromised systems.
 An institution's ongoing security risk assessment process should evaluate the adequacy of the system logging and the type of information collected. Security policies should address the proper handling and analysis of log files. Institutions have to make risk-based decisions on where and when to log activity. The following data are typically logged to some extent including
 ! Inbound and outbound Internet traffic,
 ! Internal network traffic,
 ! Firewall events,
 ! Intrusion detection system events,
 ! Network and host performance,
 ! Operating system access (especially high - level administrative or root access),
 ! Application access (especially users and objects with write - and execute privileges), and
 ! Remote access.

Return to the top of the newsletter

We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.
 Sharing nonpublic personal information with nonaffiliated third parties under Sections 13, and 14 and/or 15 but not outside of these exceptions (Part 2 of 2)
 B. Presentation, Content, and Delivery of Privacy Notices 
 1)  Review the financial institution's initial and annual privacy notices. Determine whether or not they:
 a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1)); 
 b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and
 c.  Include, and adequately describe, all required items of information and contain examples as applicable (§§6, 13).
 2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:
 a.  Timeliness of delivery (§4(a)); and
 b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).
 c.  For customers only, review the timeliness of delivery (§§4(d), 4(e), and 5(a)), means of delivery of annual notice §9(c)), and accessibility of or ability to retain the notice (§9(e)).

(At the end of November 2014, we will discontinue this section on Internet Privacy.  You will find the entire regulation PART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at http://www.fdic.gov/regulations/laws/rules/2000-5550.html.)


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated